One Time Password via Text Message: Possible exploits?
Is there a credible scenario in which the OTP (One Time Password) for online credit card transactions ( specifically for Verified by Visa) can be bypassed?
Context: A guy I know was cheated via the usual social engineering routes (dumb I know!) into revealing his Credit Card details & a fraudulent transaction was made. The bank says an accurate OTP was entered and hence their liability ends. I tend to agree with them.
The victim OTOH insists that although he did give his Card Number, Expiry date & CVV to the phishers over the phone, he never gave them the OTP received via his cellphone SMS (text message). I find that hard to rationalize.
That's why I'm wondering if there really could be channels of attack that somehow defeat the OTP-SMS protection? The only possibility I could brainstorm is some variant of SIM card cloning.
What do people think? Know any exploit reports like this in the wild? (Normally I'd have not believed the victims insistence that he never revealed the OTP but I'm just playing devils advocate for a bit)
In case it matters, Verified by Visa uses a 4-6 digit OTP sent via text message & it is supposed to expire in 180 secs.
I know that for example with Facebook, you can generate 10 OTP Codes that can be used. Other than having your phone compromised, or the phone linked to another account it doesn't seem likely really.
At least with my Credit Card's OTP system the moment you generate a new OTP the last one gets invalidated. At least, that's how it is supposed to work. I haven't stress tested the system much. :)
Verified by VISA is only required depending on the transaction amount - on my card for example, sometimes it doesn't ask for it at all, and for low amounts it only asks for my birth date. Did the bank actually confirm that an OTP was used, as opposed to a birth date or similar personal info ?
As OTP by SMS grows in popularity, there's a growing trend in malware to steal it.
For example, check out this report on NeverQuest. Once it infects your computer and steals all your other credentials, it shows a very professional looking page, apparently from your bank, asking you to download an app. And then of course, it steals your OTPs.
If your friend insists that he was not asked to download an app, then the likely scenario is this:
- He downloaded an app that looked legit and required text message reading permissions.
- Once the app was running, it sent his phone number to the scammers.
- The scammers called him and asked for his details.
- The scammers logged in using his details.
- The bank sent your friend an OTP.
- The app forwarded it to the scammers and deleted the SMS from the phone.
- The scammers completed login using the OTP.
I've not heard of this method in use, but it would be very simple to implement. Much easier than Neverquest.
To me this scenario sounds the most likely so far. I'll check what apps he has on his cell.